Date: Thu, 30 Nov 2000 18:26:28 +0100 From: Gerhard Sittig <Gerhard.Sittig@gmx.net> To: freebsd-security@freebsd.org Subject: Re: filtering ipsec traffic Message-ID: <20001130182628.P27042@speedy.gsinet> In-Reply-To: <20001129185752.O27042@speedy.gsinet>; from Gerhard.Sittig@gmx.net on Wed, Nov 29, 2000 at 06:57:52PM %2B0100 References: <Pine.NEB.4.21.0011282320230.16898-100000@phalse.2600.com> <20001129185752.O27042@speedy.gsinet>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 29, 2000 at 18:57 +0100, Gerhard Sittig wrote:
>
> Am I wrong thinking that one already has these four hooks
> available? (Sorry, I haven't toyed with IPsec yet.)
>
> [ ... ]
>
> And the way out is similar with a chain of
> app -> enc0 -> IPsec -> tun0 -> wire
Woops, forget the above, please! :) I must have been asleep and
was confusing this with OpenBSD. Let me cite from their manpages
(sorry, don't have a running system around here so I will UTSL :)
-- feel free to read the online manpages at www.CC.freebsd.org in
your preferred output format).
----- ipsec(4) --------------------------------------------------
...
For example:
.Bd -literal -offset indent
Net A <----> Firewall 1 <--- Internet ---> Firewall 2 <----> Net B
.Ed
.Pp
Firewall 1 and Firewall 2 can protect all communications between Net A
and Net B by using
.Tn IPsec
in tunnel mode, as illustrated above.
.Pp
This implementation makes use of a virtual interface
.Nm enc0 ,
which can be used in packet filters to specify those
packets that have been or will be processed by
.Tn IPsec.
...
-----------------------------------------------------------------
----- enc(4) ----------------------------------------------------
...
.Sh SYNOPSIS
.Cd "pseudo-device enc 4"
.Sh DESCRIPTION
The
.Nm
interface is a software loopback mechanism that allows hosts or
firewalls to filter
.Xr ipsec 4
traffic using
.Xr ipf 5 .
The
.Xr vpn 8
manpage shows an example of such a setup.
...
-----------------------------------------------------------------
Maybe that's something FreeBSD wants to have, too? I don't see a
difference in which filter gets the packet once is enters /
leaves the IPsec functionality block and feel the mention of
ipf(5) -- why 5, not 8 or 4? -- to come from the fact that it's
OpenBSD's native filter.
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001130182628.P27042>